Darren J Moffat wrote:
> Recording /dev/vt/# in utmpx and using that for PAM_TTY looks like
> exactly the correct thing to do for the virtual consoles.
>
> Using /dev/console for utmpx and PAM_TTY for the primary (first) console
> also looks like the correct thing to do.

Advertising

It's obvious for text console sessions. For graphical logins,
the display login manager, which sets PAM_TTY and utmpx, currently only
knows the display. So Xorg should provide a proper interface for the
display login manager to retrieve the virtual console associated with
each Xorg.
>
>
>
>> 3.2 Enhance PAM_TTY and ut_line in utmpx to support display name.
>>
>> So the PAM_TTY and the ut_line in utmpx can be directly set
>> to the display name by the display login manager.
>
>
> What problem is being solved here ?
So the PAM_TTY and the ut_line in utpmx would be unique for each
logged in user (even with graphical sessions).
>
>
>> With regards to the audit terminal ID, it can be extended to
>>
>> a) change "terminal ID" to "terminal name" in the audit
>> record. And the terminal name looks more straightforward
>> than the digital terminal ID.
>
>
> I don't see what problem is being solved here.
Currently the audit terminal ID includes the digital major and minor
number of PAM_TTY. So if we choose to use the display name (e.g. ":0")
as PAM_TTY, we have to change "terminal ID" to "terminal name" or
"display name" in the audit record. Otherwise we have to encode the
display name into digital major/minor number as stated below (3.2.b).
>
>
>> b) encode display name in a proper way to terminal ID, just
>> like for remote terminal ID:
>> ai.ai_termid.port = (peer->sin_port<<16 | sock->sin_port);
>
>
> So basically record the port number of the display in the audit record ?
> If so that sounds okay but who is writing this audit record ?
the display login manager (dtlogin/gdm).
thanks,
Riny